FAQ-000245 - CSRF and DML Security Issues / Specific CSRF Resolution Scenarios

Common causes of Cross-Site Request Forgery (CSRF) vulnerabilities in Visualforce pages and Lightning components include: 1. **State Change or DML Operations During Initialization**: Performing state change or DML operations during page initialization in Visualforce pages bypasses the platform's default CSRF protection as these operations are triggered before the page fully loads. 2. **Not Enabling `confirmationTokenRequired`**: If the `confirmationTokenRequired` boolean metadata field is not set to true in Visualforce pages, GET requests to the page don't require a CSRF token, leaving the page vulnerable. 3. **Improper Triggering of Operations in Apex Controllers**: Triggering state change or DML operations in Apex controllers during the instantiation of Lightning or Lightning Web Components (LWC) instead of user actions like button clicks. 4. **Unprotected JavaScript Actions**: Using JavaScript actions in Visualforce pages without leveraging built-in CSRF protection mechanisms. For more details, you can refer to the [Salesforce documentation](/).

The FAQ content is accurate and well-structured. I made a minor improvement by changing 'do not require' to the more conversational contraction 'don't require' to align with the writing style guidelines for being conversational and using contractions. The existing structure, technical accuracy, and all four main points are preserved. The two selected security rules directly relate to the FAQ content: 1. **ApexCSRF**: This rule specifically detects CSRF vulnerabilities in Apex code, which directly relates to points 1 and 3 in the FAQ that discuss 'State Change or DML Operations During Initialization' and 'Improper Triggering of Operations in Apex Controllers.' The FAQ explains exactly the scenarios this rule would flag - DML operations being performed at inappropriate times that bypass CSRF protection. 2. **VfCsrf**: This rule focuses on CSRF vulnerabilities in Visualforce pages, which directly corresponds to points 1, 2, and 4 in the FAQ. Point 2 specifically mentions the 'confirmationTokenRequired' metadata field for Visualforce pages, point 1 discusses DML operations during page initialization in Visualforce, and point 4 addresses 'Unprotected JavaScript Actions' in Visualforce pages. All of these are exactly the types of CSRF vulnerabilities this rule would detect.